How Hackers Can Take Control Over Your Car

MADISON, Wis. -- You might have seen that frightening episode of the CBS series, Person of Interest, in which a fictional social media company's billionaire founder loses control of his car.

From the street, the driver appears to be either a total nutcase (well, in this case, he is) or heavily intoxicated. His car weaves through traffic left and right, crossing lanes willy-nilly and clipping other cars.

But inside the car, the driver is helpless. Any control he tries, especially the brakes, is overridden, apparently by the car itself. Unbeknownst to the driver, of course, the car is under remote control.

Inevitably, the car blows up (creating an exciting visual). However, the software genius escapes in the nick of time.

This, of course, is TV drama. It's fiction. A remotely compromised car is a scenario that makes a good thriller and scares the bejesus out of viewers. But possible in real life? No way.

Well, wait a minute.

Way.

In March 2011, a team of scholars at the University of Washington joined with colleagues from the University of California-San Diego, in a technical paper entitled "Comprehensive Experimental Analyses of Automotive Attack Surfaces." They prepared it for the National Academy of Sciences (NAS) committee on electronic vehicle controls and unintended acceleration.

Dirk Besenbruch, engineer, group leader of Systems & Applications, Automotive, at NXP Semiconductors, recalls the paper as a wakeup call. "It triggered our work at NXP" on automotive security, he said in a recent phone conversation with EE Times.

The academics' point was to debunk automotive industry skepticism about the hackability of on-board electronics. The industry's conventional wisdom was that "to implement an attack, the attacker would need to physically connect attack hardware to the car's internal computer network."

That got the university researchers going. They ran "a systematic and empirical analysis of the remote attack surface of late model mass-production sedan," according to the authors.

The researchers were aware, as they conducted their study, that no serious security automotive security breach -- like the one on the TV show -- has ever compromised the safety of cars and drivers in the real world. The paper's author pointed out, "Traditionally automobiles have not been network-connected and thus manufacturers have not had to anticipate the actions of an external adversary."

In the paper, however, they cautioned: "Our automotive systems now have broad connectivity; millions of cars on the road today can be directly addressed via cellular phones and via Internet."

CAN bus is the crux of the issue?
While noting that the CAN bus is a "good, fault tolerant network" inside a car, NXP's Besenbruch acknowledged that there are a number of ways hackers can worm their way into the internal network and get to the Electronic Control Unit (ECU).

The flexibility of the CAN bus has created a safe and cost-effective network enabling vendors to attach a number of computer control systems (ranging from the window controllers to the locks and critical safety elements such as brakes and engine). But that flexibility also creates the opportunity for new attacks -- including one in which a car's internal network can circumvent all computer control systems including mission-critical functions. Besenbruch acknowledged that it's entirely feasible for someone to remotely turn the car-audio volume ALL THE WAY UP, for example, or worse, stop or start the engine at will.

Car entertainment and car infotainment are two very important technology related to the improvements in car infosystems. Several, new technologies are also being implemented in car industry also. Car sensors and car electronic dashboards are quite helpful for the car traffic control and proper route detection also. Auto parts repair and service also very necessary for the safety of the vehicle or car users. It will help in safe driving by the vehicle operator.

Hi, Etmax. I believe you are right. For attack scenarios using bluetooth cellular does require the previous physical access, if I understood it correctly.

Aside from the debate over how easy or difficult it is to gain the previous physical access to a car that is to be attacked (and I agree, it would be difficult), it still boggles my mind how easy bluetooth pairing was done in that attack test scenario.

I agree thaqt accessing the OBD-II is an age-old problem, which is hard to solve.

This was largely my understanding (gateway) but the article desribed a less complicated structure. A Diesel truck I was working on a while back had 2 buses, an internal TCM to ECM path and an instrument cluster path and given that dealers can reflash the ECU as part of recall processing the OBD-II port would need programming access to that bus. I'll grab a few manuals and have a further think about this.

I doubt very much that an OBD2 connection is connected directly to the engine bus. Instead the connection is likely to a gatweay which provides the OBD2 standard messages.

This is easy to test: short out the CAN wires on the OBD2 connector and see if the engine runs. There is no way any sane car designer is going to have that connector connected so it can tamper directly with the main CAN bus.

By the way, CAN is really easy to DOS. Just dshort the wires, or continually send priority 0 packets. These have a higher priority and will prevent any other trafic on the bus.

At the end of the day, anyone with physical access can do anything they want: mess with the fuel, cut fuel lines, .... The only bene fit of doing an electronic attach is that you **might** be able to do damage without leaving any trace that you were being naughty.

These days, however, many vehicle manufacturers are doing a whole lot of run-time verification to reduce the possibility of tampering and are logging strangeness for diagnosis as well as for evidence during court cases.

Yes the original article weighed heavily on getting the OBD-II port accessed. I read the article too, and it was very unclear as to wheather the OBD-II attack was necessary in addition to the Bluetooth/cellular attacks. I agree with your mention of the normal CAN messaging only allowing certain things to be transported, but would like to add that if you have access to the CAN bus itself via an OBD-II pass thru then reprogramming of every module on that bus becomes a possibility unless the module manufacturer disables it explicitly.

Assuming for the moment that this hasn't been done then in my mind far easier than the methods proposed in the original article would be to design a module that you can attach to the CAN bus in a few minutes that can at your leasure give you access to module reprogramming when you chose. Because the CAN HW layer won't let you crash the bus (something a simple wire link could of course do) you would need to do things like invoke special test modes that do allow control and are there for service puposes, and it would just be so much easier to develop and debug with the same level of mischief as the interfaces are specified in the OBD-II standards and manufacturer documentation.

Hi Krisi, having an inside ticket to this I can say that some of the push is cost savings for the vehicle manufacturer in the build of the vehicle, part is warranty cost reduction by making the vehicle's systems easier to debug and part is to make it cheaper to add luxury features for next to no cost but still be able to charge for them. Then there's the majority of buyer that want the extra functionality I could write a thesis on this as to where all of cost benefits come but suffice to say here it's worth it for them and we're along for the ride (like it or not). These comments are explicitly related to vehicle networks, not the actual electronification of cars. I could do a thesis on that as well. :-) Some are common to the above and some additional. Purely on electronics in cars, this actually saves the buyer money for real benefit.

Hi Bert, in fact fails safe modes for all sensors are part of the design criteria for intelligent car modules. That sad fact of the matter is that more and more car design is being done in countries where most engineers don't drive a car :-) I worked for this unnamed automotive electronics manufacturer that moved design of an OEM program to Singapore where car ownership is at maybe 12% according to Wikipedia and when I was there only 1/2 the engineers had cars and none tinkered with them, essential to fully understanding things (I believe). In any case the issues that arose from that program were many. On my car the throttle position sensor had an intermittent fault and the only thing that was noticable was the car's inability to accelerate fast from a standstill. This was obiously missed on the ABS system mentioned resulting in the recall. I read the article that Junko referred to, and they put a lot less effort into it than professional crime gangs do into Windows exploits, but a hacker having OBD-II access to a car in my opinion is the same as giving your computer to the hacker to do as he sees fit, and is therefore indefensible. I.e as you say the same as cutting brake lines.